Insights Blog

What Can I Recover from a BFU Extraction?

When an iPhone is seized, measures should be taken to ensure that the maximum amount of data can be extracted from the device.  iPhone have two states:  After First Unlock (AFU) and Before First Unlock (BFU).  When in AFU, the device has been unlocked at least once after it was powered on.  In this state, tools are able to extract a lot of information from the device.  If the phone is turned off, or loses power, it reverts to the less helpful BFU mode.  Without the user password, a BFU extraction is all you’re going to get.

A BFU extraction, obtainable with GrayKey and Cellebrite Premium, should theoretically contain only system data.  These limited extractions do contain mostly system data, but they also contain some good user data mashed in as well.  The challenge is to locate and interpret what user data is present.

KTX Files

Some user data seen in these extractions is contained in .KTX files.  KTX files appear to be a proprietary method Apple uses to show thumbnail version of background apps or SMS attachments.

Ingesting the extraction with BlackLight 2020 R1, you can filter for .ktx files.

 

Both system and non-system .ktx files will be shown.  You can differentiate the two by looking at the path.

Non-system .ktx files, which have the potential for containing user data are typically in paths like:

/private/var/mobile/Library/Caches/com.apple.MobileSMS/Previews/Attachments/ b7/07/1C495ABD-6D72-4E67-BCF0-61D3CD9B0EA8/ms-M4NDH5-preview.ktx. 

System generated .ktx files are stored in Framework paths, for example:

/System/Library/PrivateFrameworks/AssetViewer.framework/PlugIns/ASVAssetViewer.appex/studio_lighting_armode_specmap.ktx

/System/Library/Frameworks/RealityKit.framework/studio_lighting_armode_specmap.ktx

When you select a .ktx file, the File Content Viewer will not display the file.  This is because there is a leading 8-byte hex string before the normal .ktx file header (<<KTX.11>>):

 

Exporting the .ktx files and loading them in Photos in macOS will also not work because of this erroneous 8-byte string.  So how do we look at the data?  Perform the following steps to view the .ktx picture:

  1. With the .ktx file highlighted in the Content Pane, select the Hex tab in File Content Viewer.
  2. In File Content Viewer, highlight (select) all the data contained in the file with the exception of the first 8-bytes.
  3. Command-click on the highlighted data in the File Content Viewer and select Export, Export Selection, Raw Data….
  4. A Save dialog box appears.  Provide a name for the file.  The new file will contain the data from the original file, minus the erroneous 8-bytes.
  5. Open the new modified .ktx in macOS. The .ktx can be converted to a .JPG.

 

Other Information that Could Be Useful

You may find other information in the BFU extraction that is relevant to your investigation.  Keep in mind that many users store information, and possibly device backups, in iCloud.  You may potentially find information allowing you to apply for a search warrant for iCloud information.  Refer to the following locations to find iCloud data:

  • Last Cloud Backup Date: /private/var/mobile/Library/Preferences/com.apple.mobile.ldbackup.plist
  • Last logged-in user Directory Service Identifier (DSID): /private/var/mobile/Library/Preferences/com.apple.corerecents.recentsd.plist
  • iCloud Configuration Information: /send memes/private/var/mobile/Library/Preferences/com.apple.storebookkeeper.plist
  • Cloud Sync Enabled and Cloud Sync Enabled Modification Date: /private/var/mobile/Library/Preferences/com.apple.assistant.backedup.plist
  • Home Sharing Apple ID: /private/var/mobile/Library/Preferences/com.apple.homesharing.plist
  • iCloud Sync Information: /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationDetails.plist

 

And finally, two other locations that may contain user information in BFU Extractions:

  • applicationState.dndb:  /private/var/mobile/Library/FrontBoard/applicationState.db
  • Snapchat primary.docobjects database containing contact information:/private/var/mobile/Containers/Data/Application/B65F45DF-09DB-4510-9E04-D8C5D5AF9DF7/Documents/user_scoped/4f865e4901fcb2103db07ff946a974ecf0094545050a837c45d7f224e58c4892/DocObjects/primary.docobjects

 

Remember, if you seize an iPhone and it is already powered on, try to keep it that way so you can get the AFU extraction.  But, if your only option is the BFU extraction, take a good look at the information.  Some user data typically is mashed in with the system information.  It may be enough to provide new leads on your case.

BlackBag Team